tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Filip Hanik - Dev" <devli...@hanik.com>
Subject Re: session facade not used for event
Date Tue, 01 Jun 2004 21:48:50 GMT
>> Facading is likely worthless for sessions,

you think so, you don't think session.setPrincipal is a security issue?

Filip

----- Original Message -----
From: "Remy Maucherat" <remm@apache.org>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Tuesday, June 01, 2004 3:02 PM
Subject: Re: session facade not used for event


> Filip Hanik - Dev wrote:
> > Quick question, is there a reason the user code has access to the
> > internal session instead of the session facade on session events?
> >
> >> event = new HttpSessionBindingEvent(this,name,value); //inside
> >> StandardSession
> >
> > as opposed to this code, which would give the user a facade? event =
> > new HttpSessionBindingEvent(new SessionFacade(this),name,value);
>
> Yes, but no.
> Facading is likely worthless for sessions, as we're (fortunately) not
> recycling them anymore. The session manager will prevent accessing any
> of the extra methods (and even then, I'm not sure there's any public
> methods worth exploiting).
>
> Rémy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message